|
|
|
 |
Is Our BSA/AML Risk Assessment Adequate?
Question:
How do we know if our Bank Secrecy Act/Anti-Money Laundering (BSA/AML) risk assessment is adequate?
Answer:
Bank Secrecy Act and Anti-Money Laundering risk profiles vary from institution to institution and many continue to struggle with the task of developing a customized risk assessment. The Federal Financial Institution Examination Council’s (FFIEC) BSA/AML Examination Manual was developed to provide examiners with a basic understanding of this process but it does not help institutions determine how the final document should look. As a result, each institution must find a way to clearly identify their highest risks and evaluate the controls used to mitigate these risks. Institutions will also need to understand which components of a risk assessment are the most important when developing a risk-based compliance program.
When beginning the risk assessment process, it is important for an institution to take into consideration all of the various business lines. Some institutions my overlook their mortgage, brokerage or trust activities and fail to take an enterprise wide approach. Management must remember to leverage their risk assessment findings by sharing information between cooperating business lines and then reassess the risks to keep pace with the ever changing business environment.
Once all the appropriate business lines and entities, products, services, customers, and geographic locations have been identified, determine which categories pose the highest risk for money laundering. In order to do this, an institution must evaluate key areas and develop a measuring system to quantify the individual risks.
Products and services-Identify the products and services offered by the bank and risk rank each of them high, moderate or low depending on the risk each poses for money laundering. For example, products and services that have a higher degree of anonymity or high volumes of cash should be viewed as a higher risk (electronic funds transfer services, stored value cards, third party payment processors). Some additional concerns may include wire transfer of funds to high-risk countries or individuals or large volumes of cash deposited or withdrawn. You should also consider how your institution conducts business, is it face-to-face contact or on-line banking products.
Customers and entities-In October 2003 the implementation of Section 326 of the USA PATRIOT Act required institutions to establish a risk based Customer Identification Programs (CIP). This means the customers risk is evaluated at account opening and your institution can monitor them accordingly. For example one entity considered to be a higher risk for money laundering may be a money service business (MSB).
Geographic locations-Include within the risk assessment areas your institution has branches, customers, entities and wherever transactions are conducted. Evaluate the risk to determine which areas pose the highest risk to your institution. Consider some of the following resources:
- Office of Foreign Asset Control (OFAC) sanctioned countries
- US Department of State Designation as State Sponsor of Terrorism
- US Department of State’s Bureau for International Narcotics and Lau Enforcement Affairs,
- Major Money Laundering Countries (MMLC)
- Organization for Economic Cooperation and Development (OECD) as uncooperative tax haven
- Offshore Financial Centers (OFCs)
- US Department of State Money Laundering Watch List
- High Intensity Drug Traffic Areas (HIDTA)
- High Intensity Financial Crimes Area (HIFCA)
Once you have identified your risk categories, quantify the risk by using actual numbers. For example, if your institution offers wire transfers, be sure to quantify the data by identifying the total number of wire transfers, and break it down into foreign and domestic. Another example, if your institution may has non-bank financial institutions, include the total number of NBFIs in your portfolio and break that number into different categories, such as how many casinos, money service businesses etc.
Office of Foreign Assets Control (OFAC)-Although not required by specific regulation and separate from BSA/AML compliance, a written OFAC risk profile based on an institutions products, services, customers and geographic locations should be developed. An institutions OFAC compliance program should be dictated by your assessment of the overall OFAC risk. The program should identify high-risk areas, and document your internal controls for screening and reporting, independent testing for compliance, training programs established for appropriate personnel and a designated bank employee responsible for OFAC compliance.
A bank’s BSA/AML risk assessment is an on-going process and should be viewed as a living document. This document should be updated every 12 to 18 months and approved by your board of directors. Good risk management will always evaluate BSA/AML risk as new products and services are introduced. Understanding your institutions risk profile will enable you to apply appropriate risk management processes to your BSA/AML compliance program.
Associated Risk Boilerplate
Associated Risk Group LLC helps small and mid-size financial institutions develop customized compliance solutions and is recognized as a leader in the BSA, AML and OFAC consulting industry. ARG is an affiliate of Associated Banc-Corp, a $22 billion bank holding company committed to mitigating regulatory risks and improving profitability.
First published on BankersOnline.com 11/19/07
Privacy Policy Disclaimer Recommend This Site ! Contact Us
BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.
|
|
|
|
Print Friendly!
Email This Article!
Discuss NOW!